Challenges of Information Security

Mr. Robert Lentz
Director of Information Assurance
Office of the Assistant Secretary of Defense for Networks and Information Integration

Over the years we have engaged in many discussions regarding the new challenges facing global security for the coming decades. Last year, Admiral Di Paola, Chief of Defense of Italy, talked of the new challenges in a world of transformation; General Naumann, Chief of Defense of Germany, emphasized organizations in need of a fresh look; and, Dr. Wells, the U.S. Department of Defense CIO Department, emphasized the transition to net-centric operations. All these presentations and many others in past summits have a common thread that is, Are we positioning ourselves effectively for the future security environment? I would argue that we are confronting an information revolution for which we all are unprepared!

While the U.S. Department of Defense and many other military defense establishments are making significant progress towards leveraging emerging information-age technologies and grasping the vision of network-centric information operations, a transformation of this scope offers innumerable challenges and opportunities. The reality is that inducing change in military and governmental establishments is slow, painful work. This probably explains why most “information age” experts feel we in the government are only now beginning to emerge from industrial age thinking.

Why is this important? Everyone appreciates the power of the Internet—how it makes the world smaller, more connected, more efficient. Experts agree that networked computers are our most powerful assets. As you know, within DoD, we call this the Global Information Grid (GIG). Other expert views:

For Vint Cerf, father of the Internet, “The GIG will change the military the way the Internet is changing business and culture.”

For Lockheed Martin’s CEO, “The GIG will shape 21st century operations in the way nuclear technology concluded WWII and controlled the Cold War.”

According to former Deputy Secretary of Defense Dr. Hamre, “Our unending appetite for information can only be realized by leveraging the power of the Internet and fully implementing the GIG.”

And for Defense Secretary Rumsfeld, “The single most transforming event is not the weapons system but the GIG/Net-Centric Operations.”

As the former CIO from AT&T has stated, on the most basic level we all are witnessing radio, TV, movies, telephones, all converging to leverage the Internet. We are all going to operate in communities of interest that are wider and more powerful than we ever imagined. And we all are going to have to quickly adopt new technologies in information age speeds in months, not years, if we are going to be competitive and meet the demands of 21st century operations. Some examples are deploying a powerful Internet Sensing Grid for early warning and response to environmental disasters like this past year’s earthquake in Pakistan or the 2004 tsunami. Other examples are sophisticated collaboration networks being deployed to detect the movement of potential terrorists; micro-sensors embedded in structures for real-time reconfigurations in the face of hurricanes, tornadoes or other catastrophes; and of course the multitude of transformations underway in monitoring the power grid, roadways, and telecommunications networks in most cases belonging not just to governments but to global enterprises with no national boundaries.

On the negative side, the information age gives our adversaries a fertile footprint to operate to further their interests. Recreational hacking has become hacking for money. The FBI in the U.S. is getting more than one cyber extortion case every day. More than 100 organizations report cyber extortion. This epidemic originally started as a way for rival cyber gangs to take down chat rooms of their competitors. Now, for money, gangs will threaten to take down sites in time increments—say 15 minutes—and will escalate as you bring in law enforcement. The Bali bomber wrote in his autobiography that “If hacking is successful, get ready to gain windfall income for just 3 to 6 hours of work, greater than the income that a policeman earns in 6 months of work. But, please do not do that for money alone. I want America and its cronies to be crushed in all aspects.”

Here are some interesting trends expected to be in effect by 2010

One cyber bug will hit the Internet every 5 minutes.

The number of security incidents will swell to 400,000 a year or 8,000 a week.

An average PC will cost $99 and will contain 200 million LOCs.

Within those LOCs there will be an estimated 2 million software bugs.

The average software vulnerability that used to take months/weeks to be exploited by hackers is now taking days and very soon these groups will have Zero Day and sub-Zero Day capability to attack systems/networks before a vulnerability is known or published.

So as an information security leader, I am excited but deeply worried that we are not taking these future challenges as seriously as we need to in light of the asymmetric and unconventional threats facing us today, especially those on the horizon. From my vantage point, it is not just about technology. In fact, I would argue it is more about governance and leadership.

Traditionally, military organizations have focused primarily on delivering military mass and power into the battle space. This approach to military operations has been platform-based, but that is now changing in military organizations around the world as they move toward network-centric operations.

While the details of new network-centric operational concepts are being applied differently by nations, the new concepts are all underpinned by the common understanding of the changing and growing role that one critical factor will play in increasing military effectiveness: Information. The Chief Information Officer (CIO) has really become the center of gravity. In most military establishments this is not the case. They see the CIO as the IT operations focal point. In reality, the primary concern of the CIO in the future enterprise is as the visionary and strategic planner; the core technical competency is to ensure the integrity of the information and availability of the infrastructure. In the information age that is a daunting challenge! Looking over the entire enterprise, they have to be certain there are no errors or losses of any of the data and information served up to the users. Today this job is important; tomorrow it is a huge responsibility. The CIO is not only the technologist but also the knowledge leader and the information strategist.

The intelligent use of information across an organization and its partners affects and influences all aspects of that organization—from the front line to the back office, from equipment purchase to financial controls, including the organizations’ relationships with its partners, whether they are commercial suppliers or other government organizations.

Most information age experts attest that the paradigm shift is more cultural than technical. A growing body of evidence shows that successful net-centric operations are about human and organizational behavior. This is not just for the private sector but government organizations as well. The purchase and deployment of net-ready capabilities will deliver little benefit if the processes and procedures that govern how they are used are left unchanged. Another key objective in achieving success will come from prioritizing and coordinating the myriad pieces that make up new initiatives. Success will be realized only if the approach and the changes it requires are embedded across the whole organization—in the way its people think, train, and act and in everything it does.

Within complex organizations like NATO this is a huge challenge!

So as an example, one of the CIO’s core responsibilities is also the chief security officer! There is a completely new paradigm for running a business or government enterprise. In the face of asymmetric warfare and the reality that a successful information attack can paralyze an organization or bankrupt a business, this responsibility has become a core role.

Most, if not all, successful businesses today rely on the CIO. He sits at the right hand of the CEO. Within the U.S., good examples are Wal-Mart, FedEx, AT&T, and Southwest Airlines. For Wal-Mart, their CIO was an early pioneer in pushing radio frequency identification (RFID) technology, embracing it as a tool for reducing inefficiency and increasing productivity. Officials at the European Central Bank, for example, are working on a project to embed RFID tags into higher-denomination euro bills. And going hand in hand with these new technologies is security. The key attributes of all these successful enterprises are agility, adaptability, scalability, and interoperability.

Within DoD we have a three-prong CIO strategy: build, populate, and protect. For the protect mission area, we have five strategic imperatives: empower the people, transform the processes, trust the info, secure the network, and effectively operate. What is important is not necessarily the specifics as much as having a strategic framework. The question is: Are all the institutions we rely upon for our safety and security, such as NATO, aggressively moving in this direction? Are we effectively balancing the key tenants of net-centric operations to transform the organization, culture, and planning?

In reality, we are all in this together. We must develop a simple, open, flexible, and on-demand infrastructure to share security information and policies. We need a common, interoperable architecture. The wider we view the global network traffic the more proactive we become in responding to threats. The experience gained by the commercial industry during large-scale transformations can benefit the armed forces in their practical realization of network-centric operations.